On 2007-04-20, Ben Russo ben@muppethouse.com wrote:
I checked in /usr/share/docs/selinux-policy-2.4.6/html and find no references (using grub) for "cupsd_disable_trans" I google on "cupsd_disable_trans" and find no references either.
All the *_disable_trans booleans means that the service will no transition from the selinux unconfined domain, to a restricted selinux domain (in cups's case cupsd_t). So your system will not be protected from this service if you set the *disable_trans.
How do I find out what this boolean object is or does? Is there a description of it somewhere? Is it dangerous to just run the command that sealert tells me to run?
I find that the advices sealert gives are quite often bad advice. They will fix your problem, but you should really evaluate if you're not opening up too much by following the advice. Here sealert is suggesting turning off selinux-protection of cups..
avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="__db.000" path="socket:[15083]" pid=5515 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0
This seems very strange.. All the labels above seems correct to me, but why would cupsd need to access (/var/lib/rpm/) "__db.000" ??
-jf